Hugging Face's logo

pyToshka
/
aws-security-analyst

Text Generation
Transformers
Safetensors
PEFT
English
llama
aws
cloud-security
security-analysis
wazuh
threat-detection
lora
aws-security
cloudtrail
guardduty
compliance
conversational
Eval Results
text-generation-inference
Model card Files
xet
Community

aws-security-analyst

Model Details

  • Model Name: aws-security-analyst
  • Base Model: OpenNix base model(LLaMA 3.1 8B based)
  • License: llama3.1
  • Model Type: Causal Language Model (Fine-tuned with LoRA for AWS Security)
  • Architecture: 8B parameters
  • Specialization: AWS Cloud Security Events Analysis

Model Description

LLaMA 3.1 8B Instruct model fine-tuned for AWS cloud security event analysis.

Analyzes events from 20+ AWS security sources including CloudTrail, GuardDuty, Security Hub, Macie, Inspector, Config, VPC Flow Logs, WAF, and more.

Key Features

  • 20+ AWS Security Sources: CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.
  • MITRE ATT&CK Mapping: 135 cloud techniques, 14 tactics
  • Compliance Framework Support: 195 items (CIS, PCI-DSS, HIPAA, GDPR, FedRAMP, NIST)
  • Attack Scenario Detection: 20 multi-step attack scenarios
  • Severity Mapping: AWS native scales โ†’ Wazuh levels (0-15)
  • Advanced Analysis: Threat assessment, incident response recommendations

Training Data

  • Total Samples: 2000
  • AWS Sources: 20 (CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.)
  • Attack Scenarios: 20 multi-step scenarios
  • MITRE Techniques: 135 cloud techniques
  • Compliance Items: 195 (CIS 62, PCI-DSS 49, HIPAA 35, GDPR 15, FedRAMP 3, NIST 31)

Distribution:

  • GuardDuty Findings: 86 types
  • CloudTrail Events: 74 types
  • Security Hub Findings: CIS, PCI-DSS, HIPAA compliance
  • VPC Flow Logs: 5 attack patterns

Capabilities

AWS Security Event Analysis 

# Example usage
from transformers import AutoModelForCausalLM, AutoTokenizer

model = AutoModelForCausalLM.from_pretrained("pyToshka/aws-security-analyst")
tokenizer = AutoTokenizer.from_pretrained("pyToshka/aws-security-analyst")

# Analyze AWS GuardDuty finding
prompt = """Analyze this AWS security event:
Event Source: GuardDuty
Finding Type: UnauthorizedAccess:EC2/SSHBruteForce
Severity: 8.0
Resource: EC2 instance i-1234567890abcdef0
Source IP: 45.142.120.10

Provide:
1. Threat assessment
2. MITRE ATT&CK techniques
3. Compliance impact
4. Recommended actions
"""

inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=512)
response = tokenizer.decode(outputs[0])

Supported AWS Sources

  • CloudTrail API calls
  • GuardDuty threat findings
  • Security Hub compliance findings
  • VPC Flow Logs network traffic
  • WAF web application attacks
  • Macie data sensitivity findings
  • Inspector vulnerability findings
  • Config compliance events
  • IAM Access Analyzer findings
  • Route 53 DNS queries
  • RDS database logs
  • EKS Kubernetes audit logs
  • CloudWatch alarms
  • EventBridge events
  • AWS Budgets alerts
  • Threat Intelligence IOCs

Use Cases

  • AWS security event triage and analysis
  • GuardDuty finding interpretation
  • CloudTrail event investigation
  • Compliance violation detection (CIS, PCI-DSS, HIPAA, GDPR)
  • MITRE ATT&CK technique mapping
  • Multi-source event correlation
  • Attack scenario detection
  • Incident response planning

Limitations

  • Trained on synthetic AWS security events
  • May require validation on real-world data
  • Performance depends on input quality
  • Best used as assistant tool, not replacement for human analysis

Citation

If you use this model in your research or application, please cite:

@misc{{wazuh_aws_security_llama_aws_security_analyst,
  title={{Wazuh AWS Security Analyst based on LLaMA 3.1 8B}},
  author={{pyToshka}},
  year={{2025}},
  publisher={{HuggingFace}},
  url={{https://huggingface.co/pyToshka/aws-security-analyst}}
}}

Acknowledgments

Built with:

  • Data: AWS security documentation, MITRE ATT&CK Cloud Matrix, Wazuh Rules, and more
  • Training: Wazuh, AWS

License

This model inherits the LLaMA 3.1 Community License from the base model.

Contact

Issues: Please open an issue on the repository

Disclaimer

This model is provided for research and educational purposes. Always validate outputs with human security expertise before taking action on security incidents.

Downloads last month
110
Safetensors
Model size
8B params
Tensor type
BF16
ยท
Inference Providers NEW
Text Generation
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support

Model tree for pyToshka/aws-security-analyst

Base model

meta-llama/Llama-3.1-8B
Finetuned
meta-llama/Llama-3.1-8B-Instruct
Adapter
(1194)
this model

Evaluation results

Metadata error: specify a dataset to view leaderboard